Gmail users are reporting that spam emails are turning up in their sent folder. To the users involved, it looks as if their own accounts were used to send that spam, and many have rushed to change their passwords and enable stronger security. But in actual fact, it’s just a clever spam campaign and affected accounts have not been compromised.
When you find spam emails in your sent folder, your first thought is that your account has been hacked. Someone else must have gained access, and now they’re using your email address to distribute their trash. How else would those emails have ended up there?
That’s the question a bunch of Gmail users were asking Sunday morning when they found spam in their inbox and their sent folder. Some changed their passwords immediately under the assumption their accounts had been hacked. Many could not understand how their accounts had been accessed with two-factor authentication enabled. But the emails continued to appear.
“My email account has sent out 3 spam emails in the past hour to a list of about 10 addresses that I don’t recongnize [sic],” writes one users on a Google help forum. “I changed my password immediately after the first one, but then it happened again 2 more times.”
The emails were typical spam, mostly advertising growth supplements, weight loss miracles, and loans. However, the way in which they were distributed made them somewhat unique; spammers had cleverly composed the email headers to trick Gmail into thinking the emails were sent by the recipient.
Google has now acknowledged the problem, ensured all those emails are properly classified as spam, and started taking steps to prevent this from happening again. Here’s the statement it sent to Mashable:
We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident. If you happen to notice a suspicious email, we encourage you to report it as spam. More information on how to report spam can be found by visiting our .
The good news is that accounts affected by this were not compromised, so no one had access to your emails. There’s no need to change your password, but we still recommend using two-factor authentication if you don’t already have it activated.